Method of producing a cryptographic unit for an asymmetric cryptography system using a discrete logarithm function

ABSTRACT

The invention relates to a group of public-key cryptography schemas that use the discrete logarithm problem with the purpose of reducing the cost of developing, producing and maintaining a cryptographic unit. One of the entities ( 10 ) performs a calculation comprising at most a small number of additions, subtractions and multiplications of integers, said calculation being common to all of the schemas of the group. The aforementioned calculation is preferably the main calculation to be performed by the entity in question while most of the other calculations can be performed in advance. In particular, said calculation is of the y=ar+bs type, wherein r is a random number and s is a secret key that is specific to the entity ( 10 ). The calculation is common to a group of schemas for entity authentication, message authentication, digital signatures and key exchange.

BACKGROUND OF THE INVENTION

The present invention relates to the technical domain of cryptography,and more precisely of the so-called asymmetric or public keycryptography.

In this type of cryptography, each user holds a pair of keys, consistingof a secret key and of an associated public key, for a given use.

For example, if one is dealing with a key pair dedicated toconfidentiality, then the public key is used to encrypt the data, whilethe secret key is used to decrypt them, i.e. to decipher these data. Ifone is dealing with a key pair dedicated to data authenticity, then thesecret key is used to digitally sign the data, while the public key isused to verify the digital signature. Other uses (entity authentication,exchange of keys, etc.) are possible.

Public key cryptography is very useful insofar as, unlike secret keycryptography, it does not require the parties involved to share a secretin order to set up a secure communication. However, this advantage interms of security is accompanied by a disadvantage in terms ofperformance, since the public key cryptography methods (also called“public key schemes”) are, for equal resources, often a hundred or athousand times slower than the so-called secret key cryptography methods(also called “secret key schemes”). As a result, to obtain reasonablecalculation times, the cost of the circuits implementing thesealgorithms is often very high.

This is particularly true of the so-called RSA digital encryption andsignature scheme (see R. L. Rivest, A. Shamir and L. M. Adleman, “AMethod for Obtaining Digital Signatures and Public-Key Cryptosystems”,Communications of the ACM, Vol. 21, No. 2, pp. 120-126, February 1978).This scheme relies on the difficulty of the problem of integerfactorization: given a large integer (typically more than 1,000 bits inits representation in base 2) equal to the product of two or more primefactors of comparable sizes, no efficient procedure exists forretrieving these prime factors. The calculations performed in thisscheme therefore relate to very large numbers. They cannot be performedin less than a second on a chip card unless the latter is fitted with aspecialized cryptographic coprocessor, which considerably increases itscost. Moreover, since the efficiency of factorization procedures isgrowing fairly rapidly with time, key lengths often have to be revisedupward, to the detriment of performance.

The question of reducing the cost of chips implementing public keyschemes therefore arises.

There are principally two approaches for tackling this question. Thefirst consists in specifying new cryptographic schemes, preferably (butnot necessarily) based on problems other than factorization, which makeit possible to significantly speed up the calculation times. This avenueis much explored, and has given rise to numerous results. However, inthe great majority of cases, either the improvement compared with RSA isnot significant enough to envisage the replacement thereof, or securityhas not been sufficiently well established.

The second approach consists in manufacturing chips in such quantitythat their cost decreases in large proportion. This is what will perhapshappen with RSA if the international banking organizations confirm thechoice of this scheme for future chip-based bank cards. However, thecost of an RSA chip is so high at the outset that it will always remainsubstantial, whatever the number of chips fabricated.

It will be noted that many public key cryptographic schemes have incommon the use of operations on integers as basic operations, such asmodular multiplications (ab (modulo n)), modular divisions (a/b (modulon)), or modular exponentiations (ab (modulo n)), where a, b and n areintegers. However, these operations are never exactly the same.Consequently, each time the cryptographic scheme is modified, it isnecessary to change the program or the circuit of the security devicewhich performs the cryptographic calculations.

An object of the present invention is to decrease the cost of public keycryptographic units by combining the two approaches above.

SUMMARY OF THE INVENTION

The invention thus proposes a method of producing a cryptographic unitassociated with an integer secret key s in an asymmetric cryptographysystem, wherein the cryptographic unit is equipped with a componentproduced independently of the cryptography system and suitable fordelivering an integer y through a combination between several integeroperands including a random number r, the secret key s and at least onefurther operand (a, b). After having selected the cryptography system byassociating with the secret key s a public key comprising a firstelement g of a set G provided with a multiplication operation, thecryptographic unit is equipped with a generator of cryptographic datasuites each including a random number r submitted as operand to saidcomponent and a value x dependent on the element g^(r) of the set G, anddelivered by the unit in association with the integer y.

The component, which may consist of one or more circuit portions or ofone or more software modules, applies a basic cryptographic item of veryfast execution, which may advantageously be common to a high number ofdifferent cryptographic schemes: authentication, signature, key exchangeschemes etc., using diverse mathematical objects (sets G andmultiplication operations making it possible to define a variety ofdiscrete logarithm functions).

The fact that this component is common to a high number of schemesallows better amortization of the industrial development and fabricationcosts. Generic units (for example chip cards) fitted with the componentcan advantageously be produced in very large quantity, given that theseunits will be suitable for all the schemes of the relevant family andthat they will usually enable to achieve the performance demanded bysuch or such application.

More particularly, the public key further comprises an element v of theset G such that the v=g^(s) or v=g^(−s). The method gives rise tocryptographic units able to apply a whole family of schemes based on thegeneralized discrete logarithm problem. This problem can be stated inits generality as follows: let G be a set provided with a multiplicationoperation (i.e. a function which, with two elements a and b, associatesan element denoted “a.b”, or simply “ab”, called the product of a andb), g an element of G, u a (large) integer and w the element of Gdefined by w=g^(u) (i.e. the product gg . . . g with u occurrences ofg); then it is in practice impossible to retrieve u from g and w.

European patent No. 0 666 664 describes an exemplary electronicsignature scheme of this type, where G is the set of integers at leastequal to 0 and smaller than n, and the multiplication operation is theordinary product of integers, modulo n.

With the method according to the invention, if it occurs, that for agiven set G and a certain multiplication operation, discrete logarithmcalculation algorithms that are much more efficient than thosepreviously known are discovered, then it suffices to change the set inwhich the calculations are performed and/or the multiplication operationin order to retrieve the desired security level.

The discrete logarithm problem can a priori be stated in any setprovided with an operation. However, in order for it to be possible toperform the calculation of an exponential in a short time and provide aresult of small size, certain properties are required, such that atpresent the most appropriate sets are groups. Among other properties, agroup always contains a neutral element, i.e. an element denoted ε (orsimply 1) such that the products ε.a and a.ε are both equal to a, andare so for any element a. Moreover, every element a possesses in thegroup an inverse denoted a⁻¹, i.e. an element such that the productsa⁻¹.a and a.a⁻¹ are both equal to ε. Typical examples of groups used incryptography are rings or fields of integers and elliptic curves.

It is thus possible to define a cryptographic component which does notdepend in any way on the relevant group or more generally on the set Gunder consideration. This implies firstly that this component does notact on elements of the set itself. This also implies that it does notdepend on characteristics of the group nor on the element g underconsideration, in particular on the order of g in G, i.e. the smallestnonzero integer q (if it exists) satisfying g^(q)=ε.

In a preferred embodiment of the invention, the combination effected bythe component consists only of a small number of additions, ofsubtractions and of multiplications between integers, none of which hasany connection with the characteristics of G and of g. In particular,this combination can be of the form y=ar+bs, where a and b are twofurther integer operands. A further simplification consists in takinga=1 or b=1.

An advantage of this choice of such a component is its speed: if theyare only few multiplications to be performed (one or two), the componentwill be high speed (a few milliseconds) and may be incorporated into anyenvironment, in particular into a low-cost microprocessor card.

The generator of cryptographic data suites may be constructed byassociating a random number generator with a module for calculatingexponentials over the set G.

However, in the preferred embodiment of the method, the generator ofcryptographic data suites comprises a programmable memory for receivingpairs {r, x} or {r, g^(r)} calculated in advance. In this way, thecryptographic unit can be produced in its entirety independently of theset G and of the multiplication operation that are adopted. It merelyremains to write to the programmable memory the secret key s and acertain number of pairs {r, x} or {r, g^(r)} calculated in advance. Inoperation, the common component will carry out the sole calculationrequired at the level of the cryptographic unit.

The fact that the unit can thus be used autonomously makes it possibleto further improve the amortization of the development and fabricationcosts since the same circuit (rather than only the same part of thecircuit) can be used in various target applications. Moreover, the factthat the component is very fast in execution makes it possible toinstall it in very low cost circuits, and hence, in autonomous mode, invery inexpensive units such as regular microprocessor cards, with orwithout contacts.

A further advantage of this autonomy is the possibility of being able tochange the cryptographic scheme, for example because the latter has beenbroken (i.e. because attacks have been found that considerably reducedthe level of security that it provided), without having to develop andfabricate another circuit, with the resulting productivity savings.

If, moreover, the unit uses a value x whose length is not intended tovary over time (for example because its calculation from g^(r) involvesa predefined hash function), then it is also possible, while retainingthe same scheme, to change the lengths of the other keys used withouthaving to develop and fabricate another circuit.

Furthermore, in the last two situations, not only is there no reason todevelop and fabricate another circuit, but, if the latter is designedsuitably, there is not even any reason to change the security devices(for example the chip cards) that contain them, even after these deviceshave been deployed. This advantage is very significant since thechanging of the circuit or the program of a circuit in a security devicealready in circulation (or the security device itself) is always a veryexpensive operation.

The invention can advantageously be used by semiconductor manufacturersproducing secure chips, industries fabricating security devices fromthese chips, such as chip embedders (chip cards with or withoutcontacts), and the organizations (banks, telecommunications, truckers,etc.) deploying such devices, for which the replacement of thecryptographic units incurs a high development, fabrication, managementor maintenance cost.

To summarize, the invention gives rise to a family of public keycryptography schemes using the discrete logarithm problem, in which oneof the entities performs a calculation consisting at most of a smallnumber of additions, subtractions and multiplications of integers, thiscalculation being common to all the schemes of the family. Thiscalculation preferably represents most of the calculations to beperformed by this entity, since the most of the other calculations maybe performed in advance.

BRIEF DESCRIPTION OF THE DRAWINGS

FIGS. 1 to 4 are schematic diagrams of cryptographic units produced inaccordance with the invention.

DESCRIPTION OF PREFERRED EMBODIMENTS

Considered below is a family of entity authentication protocols, withextensions to the authentication of messages and to the digitalsignature of messages, and of protocols for exchanging keys allimplementing a common component. The authenticity of a public key of anentity A used by another entity B is assumed to have been verifiedpreviously by this entity B.

Let G be a set provided with a multiplication operation and g be anelement of G. The secret key of the entity A is an integer s. It shouldbe noted that the size of this integer s (number of bits of its base 2decomposition) is independent of G and of g. The public key associatedwith s for the entity A is the pair {g, v}, where v=g^(s).

In an exemplary embodiment of the invention, the authentication ofentity A by entity B takes place as follows:

-   -   1. A randomly picks an integer r, calculates x=g^(r) and sends x        to B;    -   2. B randomly picks two integer operands a and b, and sends them        to A;    -   3. A calculates y=ar+bs and sends y to B.    -   4. B verifies that g^(y)=x^(a)v^(b).

Many variants of this basic protocol are possible, as is its adaptationto message authentication and to digital message signature:

-   -   a or b can be fixed in advance at a non-zero value (for example        a=1), in which case this operand need not be transmitted and the        combination y=ar+bs now involves only one multiplication;    -   y=ar+bs can be replaced by y=ar−bs and the verification equation        by: g^(y)v^(b)=x^(a);    -   y=ar+bs can be replaced by y=bs−ar and the verification equation        by: g^(y)x^(a)=v^(b);    -   y=ar+bs can be replaced by y=−ar−bs and the verification        equation by: g^(y)x^(a)v^(b)=1;    -   if G is a group, the sign of the secret key s can be reversed,        i.e. we can take v=g^(−s)=(g^(s))⁻¹, in which case the        verification equation becomes: g^(y)v^(b)=x^(a); this choice can        of course be combined with any one of the above variations;    -   in each case where the verification equation is of the form        g^(y)v^(b)=x, thus assuming a=1, x=g^(r) can be replaced by        x=f(g^(r)), where f is a function, for example equal to (or        including) a cryptographic hash function; the verification        equation then becomes: f(g^(y)v^(b))=x;    -   again in each case where the verification equation is of the        form g^(y)v^(b)=x, thus assuming a=1, if M is a message to be        certified by A, x=g^(r) can be replaced by x=f(g^(r), M), where        f is a function, for example equal to (or including) a        cryptographic hash function; the verification equation then        becomes: f(g^(y)v^(b), M),=x; the protocol obtained is a message        authentication protocol;    -   again in each case where the verification equation is of the        form g^(y)v^(b)=x, thus assuming a=1, if M is a message to be        certified by A, x=g^(r) can be replaced by x=f(g^(r), M), where        f is a function, for example equal to (or including) a        cryptographic hash function, then we calculate b=h(x) where h is        a function with no particular cryptographic properties, for        example the identity; in this case step 2 no longer involves        entity A; the verification equation becomes f(g^(y)v^(h(x)),        M)=x; the protocol obtained is a digital message signature        protocol (in the particular case where G is the set of        non-negative integers less than n and where the operation is        multiplication modulo n, we recover obtain the electronic        signature scheme described in European patent 0 666 664).

It is noted that in step 3, entity A has only one addition and one ortwo multiplications of integers to perform. It is also noted that thiscombination is independent of the selected set G. Finally, it is notedthat the other calculation (x=g^(r) or f(g^(r))) that A has to performmay be done in advance. It is thus possible to calculate a certainnumber of values of g^(r) (to which a function f is or is not applied)in advance, and then to store them in a programmable memory inassociation with the corresponding random numbers r.

With the same parameters, supplemented with a private key s′ and anassociated public key g′, v′ for entity B, obtained according to thesame rules as for entity A with g′=g: v′=g^(s′), a key exchange protocolcan be defined as follows:

-   -   1. A randomly picks an integer r, calculates x=g^(r) and sends x        to B; A calculates the common key K=v^(′r) (=g^(s′r));    -   2. B randomly picks two integer operands a and b and sends them        to A;    -   3. A calculates y=ar+bs and sends y to B.    -   4. B verifies that g^(y)=x^(a)v^(b). B calculates the common        key: K=x^(s′)(=g^(rs′))

This protocol enables on the one hand a key to be exchanged according tothe Diffie-Hellman scheme, and on the other hand the key exchange to beauthenticated on either side. The common key K could also be calculatedas a predetermined function of v′^(r).

It is again noted that in step 3, entity A has only one addition andonly one or two multiplications of integers to perform. It is also notedthat this combination is independent of the set G chosen. Finally, it isnoted that the other calculations that entity A has to perform may bedone in advance. It is therefore possible to calculate a certain numberof values of x and of K in advance, and then to store them in aprogrammable memory.

Thus, by developing a program or a circuit implementing the solefunction y=ar+bs (or one of the alternatives mentioned above), a basicsoftware or hardware brick is obtained that can be used in differentcryptographic schemes, fulfilling different roles such asauthentication, key exchange, etc. A scheme fulfilling a given role mayeven be modified during the lifetime of the security device includingthis program or this circuit. For example, it is possible to replace theauthentication scheme by another one, or to keep the same one but modifythe set or the group G in which the calculations are performed. Indeed,these modifications have an impact only on the values calculated inadvance, but not on the component itself.

FIG. 1 diagrammatically shows an exemplary cryptographic unit A producedaccording to the invention. This unit consists of a chip having a region10 to which access is protected by techniques well known to thoseskilled in the art.

The protected region 10 comprises the programmable memory 11 intended toreceive on the one hand the secret key s of the unit A (area 12), and onthe other hand pairs {r, g^(r)} determined independently of s once theset G and its multiplication operation have been defined (area 13). Theprotected region 10 furthermore comprises the component 15 serving tocalculate the integer y=ar+bs as a function of a random integer rreceived from the memory area 13, of the secret key s received from thememory area 12 and of the two further operands a, b submitted by acontrol module 16.

Various ways of storing several pairs {r, g^(r)} in the area 13 arepossible. Each value of r and each value of g^(r) can for example bestored in extenso in a table with associative matching between the valueof r and the value of g^(r) of the same pair. Advantageously inmicrocircuits with limited memory size, a simple index is associatedwith each value of g^(r) so as to save the memory space that would berequired for storing several values of r, generally large. The variousvalues of r are pre-calculated by means of a pseudo-random generatorfrom a seed value r₀ and from the corresponding index so as topre-calculate and store the value of g^(r) for this index. Theprogrammable memory 11 then comprises the pseudo-random generator andinitially the seed value r0 so as to receive each value of r from thecorresponding index by activating the pseudo-random generator withouthaving to store in extenso each value of r so as to match it up with thevalue of g^(r) by virtue of the index.

In response to an authentication request issued by a remote entity B,the control module 16 orders the memory area 13 to deliver an integer raddressed to the component 15 and also the associated element g^(r) ofthe set G, which may constitute the value x transmitted to the entity B.The further operands a, b received from entity B are moreover presentedto the component 15 by the control module 16, and then the integer yreturned by the component is communicated to entity B by the controlmodule 16. Entity B which knows the public key g, v, will then be ableto authenticate A with the aid of the verification equationg^(y)=x^(a)v^(b).

In the variant of FIG. 2, the unit A caters for the authentication ofmessages M. The protected region 10 and the control module 16 areessentially the same as in the example of FIG. 1, by fixing a=1. Theprotected zone 10 is supplemented with a hash module 18 which applies apredetermined cryptographic hash function f. The arguments of thisfunction f are the element g^(r) coming from the memory area 13 and themessage to be certified M provided by the control module 16. The resultx is addressed to the control module 16 which communicates it to entityB.

The hash module 18 could also be present in the embodiment according toFIG. 1, without the argument M (or with a default value of thisargument), so as to produce a key value x having a size specifiedindependently of the set G.

It is therefore seen that the same circuit is suitable for bothapplications.

The same holds for the unit according to FIG. 3, which caters for thesigning of messages M, i.e. independently of the entities which maypossibly examine this signature. If the result x delivered by the hashmodule 18 takes the form of an integer, it can be provided to thecomponent 15 as operand b. It is also possible to apply a function h toit beforehand, as indicated previously.

In the embodiment according to FIG. 4, the memory area 13 furtherassociates with each random number r a secret session key K determinedas a function of the public key g, v′ of entity B (which must thereforebe known in advance): K=v′r. This session key K is addressed to a secretkey cryptography unit 20 operating in a conventional manner according toa symmetric cryptography algorithm, so as to be usable in acommunication with the entity B. The latter makes sure of the integrityof the secret key K with the aid of the verification equationg^(y)=x^(a)v^(b) or of one of its variants described previously.

1. A method of producing a cryptographic unit associated with an integersecret key s in an asymmetric cryptography system, comprising the stepsof: providing the cryptographic unit with a component producedindependently of the cryptography system and suitable for delivering aninteger y through a combination between several integer operandsincluding a random number r, the secret key s and at least one furtheroperand (a, b); selecting the cryptography system by associating withthe secret key s a public key comprising a first element g of a set Gprovided with a multiplication operation; and providing thecryptographic unit with a generator of cryptographic data suitesincluding a programmable memory receiving pairs {r, x} or {r, g^(r)}calculated in advance, said cryptographic data suites each includingsaid random number r submitted as operand to said component and saidvalue x dependent on the element g^(r) of the set G, and delivered bythe unit in association with the integer y.
 2. The method as claimed inclaim 1, wherein the public key comprises a second element v of the setG such that v=g^(s) or v=g^(−s).
 3. The method as claimed in claim 1,wherein the combination performed by said component is of the formy=ar+bs, where a and b are two further operands.
 4. The method asclaimed in claim 1 for the production of a cryptographic unitimplementing a key exchange protocol, wherein the cryptographic unit isequipped with means of communication with another cryptographic unit towhich the value x and the integer y are sent, said other cryptographicunit being associated with another integer secret key s′, and whereinthe step of selecting the cryptography system comprises associating withthe secret key s′ a public key composed of the element g and of anotherelement v′ of the set G such that v′=g^(s′), wherein each cryptographicdata suite produced by said generator includes, in addition to therandom number r and said value x, a common key K dependent on theelement v′^(r) of the set G, which is not transmitted to said othercryptographic unit.
 5. The method as claimed in claim 3, wherein thefurther operands a and b are received from a verification unit to whichthe value x and the integer y are sent.
 6. The method as claimed inclaim 3, wherein one of the further operands is equal to
 1. 7. Themethod as claimed in claim 6, wherein the set G provided with themultiplication operation possesses a group structure.
 8. The method asclaimed in claim 7, wherein said component is so arranged that the otherfurther operand is received from a verification unit to which the valuex and the integer y are sent, and wherein the obtaining of the value xas a function of the element g^(r) comprises applying a hash function.9. The method as claimed in claim 7 for the production of acryptographic unit implementing a message authentication protocol,wherein said component is so arranged that the other further operand isreceived from a verification unit to which the value x and the integer yare sent, and wherein the value x is a function of the element g^(r) andof the content of a message to be certified by a device incorporatingthe cryptographic unit.
 10. The method as claimed in claim 7 for theproduction of a cryptographic unit implementing a digital messagesignature protocol, wherein the further operand b is calculated as afunction of the value x, and wherein the value x is a function of theelement g^(r) and of the content of a message to be certified by adevice incorporating the cryptographic unit.
 11. The method as claimedin claim 4, wherein the generator of cryptographic data suites comprisesa programmable memory for receiving triplets {r, x, K} or {r, g^(r),v′^(r)} calculated in advance.